npm - @metalabel/dfos-web-relay - Versions diffs - 0.4.0 → 0.5.0 - Mend

@metalabel/dfos-web-relay 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 Portable HTTP relay for the [DFOS protocol](https://protocol.dfos.com). Receives, verifies, stores, and serves identity chains, content chains, beacons, countersignatures, and content blobs.
-See [RELAY.md](./RELAY.md) for the full protocol specification.
+See [RELAY.md](./RELAY.md) for the full relay specification.
 ## Install
@@ -12,6 +12,8 @@ npm install @metalabel/dfos-web-relay @metalabel/dfos-protocol
 ## Usage
+### Embedded (Hono app)
 ```typescript
 import { createRelay, MemoryRelayStore } from '@metalabel/dfos-web-relay';
@@ -24,6 +26,77 @@ const relay = createRelay({
 export default relay;
 ```
+### Standalone (Node.js)
+```typescript
+import { serve } from '@metalabel/dfos-web-relay/node';
+serve({ port: 4444 });
+```
+## Routes
+| Method | Path                                     | Description                                                      |
+| ------ | ---------------------------------------- | ---------------------------------------------------------------- |
+| `GET`  | `/.well-known/dfos-relay`                | Relay metadata (DID, protocol version)                           |
+| `POST` | `/operations`                            | Submit signed operations (identity, content, beacon, countersig) |
+| `GET`  | `/identities/:did`                       | Get identity chain state and operation log                       |
+| `GET`  | `/content/:contentId`                    | Get content chain state and operation log                        |
+| `GET`  | `/operations/:cid`                       | Get a single operation by CID                                    |
+| `GET`  | `/beacons/:did`                          | Get beacon for an identity                                       |
+| `GET`  | `/countersignatures/:cid`                | Get countersignatures for an operation                           |
+| `GET`  | `/operations/:cid/countersignatures`     | Same as above (alias)                                            |
+| `PUT`  | `/content/:contentId/blob/:operationCID` | Upload blob (auth required)                                      |
+| `GET`  | `/content/:contentId/blob`               | Download blob at head (auth + credential)                        |
+| `GET`  | `/content/:contentId/blob/:ref`          | Download blob at specific operation ref                          |
+## Blob Authorization
+**Upload**: Auth token required. Caller must be the chain creator or the signer of the referenced operation (enables delegated upload).
+**Download**: Auth token required. Chain creator can download directly. Other identities must present a `DFOSContentRead` VC-JWT credential (issued by the creator) in the `X-Credential` header.
+## Conformance Test Suite
+The `conformance/` directory contains a Go integration test suite that exercises the full relay HTTP surface. It runs against any live relay via the `RELAY_URL` environment variable.
+```bash
+# Run against a local relay
+RELAY_URL=http://localhost:4444 go test -v -count=1 ./conformance/
+# Run against a remote relay
+RELAY_URL=https://registry.imajin.ai/relay go test -v -count=1 ./conformance/
+```
+71 tests covering:
+- Well-known discovery
+- Identity lifecycle (create, update, delete, batch, idempotency, controller key rotation)
+- Content lifecycle (create, update, delete, fork rejection, post-delete rejection, notes, long chains)
+- Content update after auth key rotation, multiple independent chains
+- Operations by CID
+- Beacons (create, replacement, not-found, unknown/deleted identity)
+- Countersignatures (dedup, empty result, multi-witness, self-countersign, non-existent operation)
+- Blob upload/download (CID verification, auth, credential-based access, multi-version, idempotent upload)
+- Delegated content operations (write credentials, delegated blob upload, delegated delete)
+- Credentials (expiry, scope mismatch, type enforcement, deleted issuer behavior)
+- Signature verification (tampered signature, wrong signing key)
+- Auth edge cases (wrong audience, expired token, rotated-out key)
+- Batch processing (3-step dependency sort, content-identity sort, large batch, dedup, mixed valid/invalid, multi-chain)
+- Input validation (malformed JSON, empty operations, invalid JWS)
+The conformance suite depends on [`dfos-protocol-go`](../dfos-protocol-go) for protocol operations.
+## Custom Store
+Implement the `RelayStore` interface to use any persistence backend:
+```typescript
+import type { RelayStore } from '@metalabel/dfos-web-relay';
+```
+`MemoryRelayStore` is provided as a reference implementation and for testing.
 ## License
 MIT

package/RELAY.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # DFOS Web Relay
-An HTTP relay for the DFOS protocol — receives, verifies, stores, and serves identity chains, content chains, beacons, countersignatures, and content blobs.
+An HTTP relay for the DFOS protocol — receives, verifies, stores, and serves identity chains, content chains, artifacts, beacons, countersignatures, and content blobs.
 This spec is under active review. Discuss it in the [clear.txt](https://clear.dfos.com) space on DFOS.
@@ -24,7 +24,7 @@ The relay serves two distinct planes of data with different access models:
 ### Proof Plane (public)
-Signed chain operations, beacons, and countersignatures. These are cryptographic proofs — anyone can verify them with a public key. The proof plane gossips freely: relays push operations to peers, peers verify and store independently.
+Signed chain operations, artifacts, beacons, and countersignatures. These are cryptographic proofs — anyone can verify them with a public key. The proof plane gossips freely: relays push operations to peers, peers verify and store independently.
 All proof plane routes are unauthenticated. The operations themselves carry their own authentication (Ed25519 signatures).
@@ -39,34 +39,36 @@ Content plane access requires two credentials:
 The content creator (the DID that signed the genesis content operation) can always read their own blobs with just an auth token.
+Content plane support is optional per relay. When disabled (`content: false` in the well-known response), all content plane routes return **501 Not Implemented** — not 404 (resource doesn't exist), but 501 (capability not supported).
 ---
 ## Operation Ingestion
-All proof plane artifacts enter through a single endpoint: `POST /operations`. The request body is an array of JWS tokens — identity operations, content operations, beacons, and countersignatures can be mixed freely in the same batch.
+All proof plane operations enter through a single endpoint: `POST /operations`. The request body is an array of JWS tokens — identity operations, content operations, artifacts, beacons, and countersignatures can be mixed freely in the same batch.
 ### Classification
 Each token is classified by its JWS `typ` header:
-| `typ` header           | kid DID == payload DID? | Classification           |
-| ---------------------- | ----------------------- | ------------------------ |
-| `did:dfos:identity-op` | —                       | Identity chain operation |
-| `did:dfos:content-op`  | yes                     | Content chain operation  |
-| `did:dfos:content-op`  | no                      | Countersignature         |
-| `did:dfos:beacon`      | yes                     | Beacon announcement      |
-| `did:dfos:beacon`      | no                      | Beacon countersignature  |
+| `typ` header           | Classification           |
+| ---------------------- | ------------------------ |
+| `did:dfos:identity-op` | Identity chain operation |
+| `did:dfos:content-op`  | Content chain operation  |
+| `did:dfos:beacon`      | Beacon announcement      |
+| `did:dfos:artifact`    | Artifact                 |
+| `did:dfos:countersign` | Countersignature         |
-When the signing key's DID differs from the payload DID, the operation is classified as a countersignature (witness attestation) rather than a primary operation.
+Each operation type has its own `typ` header. Classification is unambiguous — no DID comparison needed.
 ### Dependency Sort
 Within a batch, operations are sorted by dependency priority before processing:
 1. **Identity operations** — must be processed first so their keys are available
-2. **Beacons** — reference identity keys
-3. **Content operations** — reference identity keys for signature verification
-4. **Countersignatures** — reference both identity keys and existing operations
+2. **Beacons and artifacts** — reference identity keys for signature verification
+3. **Content operations** — reference identity keys, may have chain dependencies
+4. **Countersignatures** — reference identity keys and existing operations (target must exist)
 Within each priority level, genesis operations (no `previousOperationCID`) are processed before extensions. This ensures that a single batch can bootstrap an entire identity-and-content lifecycle — including chained create + update operations — without multiple round trips.
@@ -74,19 +76,34 @@ Within each priority level, genesis operations (no `previousOperationCID`) are p
 Each operation is verified against the relay's stored state:
-- **Identity operations**: The full chain (stored log + new operation) is re-verified from genesis. The relay uses `verifyIdentityChain()` from the protocol library
-- **Content operations**: The full chain is re-verified with `enforceAuthorization: true`. Non-creator signers must include a `DFOSContentWrite` VC-JWT
+- **Identity operations**: Extension operations are verified against the relay's current trusted state using O(1) extension verification — the trusted head state plus the new operation is sufficient. Genesis operations verify the single-operation chain. The relay uses `verifyIdentityChain()` / `verifyIdentityExtensionFromTrustedState()` from the protocol library
+- **Content operations**: Extension operations are verified against trusted state with `enforceAuthorization: true`. Non-creator signers must include a `DFOSContentWrite` VC-JWT. The relay uses `verifyContentChain()` / `verifyContentExtensionFromTrustedState()` from the protocol library
+- **Artifacts**: Signature is verified against the signing DID's current identity state. CID integrity is checked. Payload must conform to the declared `$schema`. CBOR-encoded payload must not exceed 16384 bytes
 - **Beacons**: Signature, CID integrity, and clock skew are verified. Replace-on-newer: only the most recent beacon per DID is retained
-- **Countersignatures**: The referenced operation or beacon must already exist. Signature is verified against the witness DID's identity chain
-- **Beacon countersignatures**: The referenced beacon must exist and the countersignature CID must match the current beacon CID
+- **Countersignatures**: Two-phase verification. Protocol-level (stateless): signature, CID integrity, payload schema. Relay-level (stateful): target CID must exist in the relay, witness DID must differ from the target's author DID, one countersign per witness per target
 ### Fork Policy
 First-seen-wins. If a chain head has already advanced past the `previousOperationCID` referenced by an incoming operation, the new operation is rejected. The relay does not attempt to resolve forks — the first valid extension wins.
-Duplicate submissions (same operation CID) are silently accepted (idempotent).
+Duplicate submissions (same operation CID, same JWS token) are silently accepted (idempotent). Submissions with the same CID but a different JWS token are rejected — since Ed25519 is deterministic, a different token for the same payload means a different signing key, which is either a self-countersign attempt or an unauthorized re-sign.
+Duplicate countersignatures (same witness DID, same target CID) MUST be deduplicated — one countersign per witness per target. The relay MUST NOT store multiple attestations from the same witness for the same target. Resubmission SHOULD return `accepted` (idempotent).
+### Deletion Semantics
+Deletion means the identity stops being an active participant. Historical operations remain verifiable — keys persist in state for signature verification — but no new acts flow from a deleted identity.
+Specifically:
-Duplicate countersignatures (same witness DID, same target CID) MUST be deduplicated. The relay MUST NOT increase the countersignature count on resubmission. Resubmission SHOULD return `accepted` (idempotent).
+- **Identity operations after deletion**: Rejected. A deleted identity chain is sealed.
+- **Content operations after deletion**: Rejected. A deleted content chain is sealed.
+- **Beacons from deleted identities**: Rejected. A deleted identity MUST NOT publish new beacons.
+- **Artifacts from deleted identities**: Rejected. A deleted identity MUST NOT publish new artifacts.
+- **Credentials from deleted issuers**: Rejected. Identity deletion revokes all authority, including outstanding `DFOSContentRead` and `DFOSContentWrite` credentials issued by the deleted identity. Credentials that were valid at time of issuance cease to be honored once the issuer is deleted.
+- **Countersignatures from deleted witnesses**: Rejected. A deleted identity MUST NOT publish new countersignatures. Countersignatures on operations by deleted authors are still accepted — deletion of the target's author does not prevent other identities from attesting.
+Self-countersignatures — where the witness DID matches the target's author DID — are rejected at the relay level. A countersignature's semantic is "a distinct witness attests." The protocol-level verifier is stateless and does not enforce this; the relay resolves the target's author and rejects self-attestation.
 ### Result Ordering
@@ -94,14 +111,226 @@ Ingestion results are returned in the same order as the input `operations` array
 ---
+## Artifacts
+Artifacts are standalone signed inline documents — immutable, CID-addressable proof plane primitives. Unlike chain operations which extend a sequence, an artifact is a single signed statement with no predecessor or successor.
+### Payload
+```json
+{
+  "version": 1,
+  "type": "artifact",
+  "did": "did:dfos:...",
+  "content": {
+    "$schema": "https://schemas.dfos.com/profile/v1",
+    "name": "My Relay",
+    "description": "A relay for the dark forest"
+  },
+  "createdAt": "2026-03-25T00:00:00.000Z"
+}
+```
+The `content` object MUST include a `$schema` string that identifies the artifact's schema. The schema acts as a discriminator — consumers use it to determine how to interpret the artifact's content. Schema names are free-form strings (no protocol-level registry). Communities may establish conventions for well-known schemas.
+### Constraints
+- **JWS `typ` header**: `did:dfos:artifact`
+- **Max payload size**: 16384 bytes CBOR-encoded. This is a protocol constant — not configurable per relay
+- **Immutability**: Once ingested, an artifact is never updated or replaced. To "update" an artifact's content, publish a new artifact
+- **CID-addressable**: Each artifact is addressed by the CID of its CBOR-encoded payload
+### Verification
+1. JWS signature verification against the signing DID's current key state
+2. CID integrity — the payload CID matches the computed CID from the raw payload bytes
+3. Payload schema validation — the payload conforms to the artifact structure (`version`, `type`, `did`, `content` with `$schema`, `createdAt`)
+4. Size limit — CBOR-encoded payload does not exceed 16384 bytes
+---
+## Countersignatures
+A countersignature is a standalone witness attestation — a signed statement that references a target operation by CID. Unlike the original operation primitives (which carry the data itself), a countersign is pure attestation: "I, witness W, attest to operation X."
+### Payload
+```json
+{
+  "version": 1,
+  "type": "countersign",
+  "did": "did:dfos:witness...",
+  "targetCID": "bafy...",
+  "createdAt": "2026-03-25T00:00:00.000Z"
+}
+```
+### Properties
+- **JWS `typ` header**: `did:dfos:countersign`
+- **Own CID**: Each countersign has its own CID, distinct from the target. This avoids the ambiguity of multiple JWS tokens sharing the same CID
+- **Stateless verification**: Signature + CID integrity + payload schema. No relay state required to verify the cryptographic validity of a countersign
+- **Composable**: The `targetCID` can reference any CID-addressable operation — content ops, beacons, artifacts, identity ops, even other countersigns
+- **Immutable**: Once published, a countersign is permanent
+### Relay-Level Checks
+The relay enforces semantic rules beyond cryptographic validity:
+1. **Target exists**: The `targetCID` must reference an operation already stored in the relay
+2. **Witness ≠ author**: The countersign's `did` (witness) must differ from the target operation's author DID
+3. **Deduplication**: One countersign per witness per target. If the same witness submits a second countersign for the same target, the relay accepts idempotently
+4. **Deleted witness rejection**: Countersigns from deleted identities are rejected
+---
 ## Relay Identity
-Every relay has a DID, published at `GET /.well-known/dfos-relay`. The relay DID serves as:
+Every relay has a DID that resolves on its own proof plane. The relay DID serves as:
 - **Auth token audience**: Auth tokens are scoped to a specific relay via the JWT `aud` claim, preventing cross-relay token replay
 - **Peer identity**: When relays gossip proof plane data to each other, the relay DID identifies the peer
+- **Self-proof anchor**: The relay's identity chain lives in its own store, verifiable by anyone querying the relay
+### Relay Profile
+The relay MUST publish a profile artifact signed by its own DID using the HEAD key state. The profile artifact uses the `https://schemas.dfos.com/profile/v1` schema:
+```json
+{
+  "$schema": "https://schemas.dfos.com/profile/v1",
+  "name": "edge.relay.dfos.com",
+  "description": "Cloudflare edge relay for the DFOS network",
+  "image": { "id": "relay-avatar", "uri": "https://cdn.example.com/avatar.png" },
+  "operator": "Metalabel",
+  "motd": "Welcome to the dark forest"
+}
+```
-The relay does not currently sign operations or participate in the protocol as an identity. It's a passive verifier and store.
+All fields are optional except `name`, which SHOULD be present. The `image.uri` field is any valid URI (operator choice — CDN, content-plane reference, or any resolvable URL). The profile JWS token is inlined in the well-known response — self-proving, no extra fetch needed.
+### Well-Known Endpoint (`GET /.well-known/dfos-relay`)
+Returns relay metadata. All fields are required — `profile` is the relay's proof of DID controllership (an artifact JWS signed by the relay DID's controller key).
+```json
+{
+  "did": "did:dfos:edgerelay0000000000000",
+  "protocol": "dfos-web-relay",
+  "version": "0.1.0",
+  "proof": true,
+  "content": false,
+  "profile": "eyJhbGciOiJFZERTQSIs..."
+}
+```
+| Field      | Type    | Description                                                                |
+| ---------- | ------- | -------------------------------------------------------------------------- |
+| `did`      | string  | The relay's DID, resolvable on this relay's proof plane                    |
+| `protocol` | string  | Protocol identifier, always `"dfos-web-relay"`                             |
+| `version`  | string  | Relay protocol version (semver)                                            |
+| `proof`    | boolean | MUST be `true`. A relay without proof plane capability is not a relay      |
+| `content`  | boolean | Whether the relay supports content plane (blob upload/download)            |
+| `profile`  | string  | The relay's profile artifact as a compact JWS token — self-proving payload |
+`proof: false` is not a valid value. A compliant relay always serves the proof plane.
+---
+## Operation Log
+The relay maintains a global append-only operation log. Every successfully ingested operation (identity ops, content ops, artifacts, beacons, countersignatures) is appended to the log in ingestion order.
+### Global Log (`GET /log?after={cid}&limit=N`)
+Returns log entries starting after the given CID cursor.
+```json
+{
+  "entries": [
+    {
+      "cid": "bafy...",
+      "jwsToken": "eyJhbGciOiJFZERTQSIs...",
+      "kind": "identity-op",
+      "chainId": "did:dfos:..."
+    },
+    {
+      "cid": "bafy...",
+      "jwsToken": "eyJhbGciOiJFZERTQSIs...",
+      "kind": "artifact",
+      "chainId": "did:dfos:..."
+    }
+  ],
+  "cursor": "bafy..."
+}
+```
+| Field                | Type         | Description                                                                      |
+| -------------------- | ------------ | -------------------------------------------------------------------------------- |
+| `entries[].cid`      | string       | Operation CID                                                                    |
+| `entries[].jwsToken` | string       | The full compact JWS token — makes the log self-contained for sync               |
+| `entries[].kind`     | string       | Operation kind: `identity-op`, `content-op`, `beacon`, `artifact`, `countersign` |
+| `entries[].chainId`  | string       | DID (identity/beacon/artifact), contentId (content), or targetCID (countersign)  |
+| `cursor`             | string\|null | CID to pass as `after` for the next page. `null` means caught up                 |
+Parameters:
+- **`after`** (optional): CID cursor. Omit to start from the beginning of the log
+- **`limit`** (optional): Max entries to return. Default: 100. Max: 1000
+Pagination is forward-only. The log is ordered by ingestion time. JWS tokens are included in every entry because proof-plane JWS payloads are bounded (chain operations and artifacts have finite size), keeping the log self-contained — a syncing peer can replay the log without separate fetches.
+### Per-Chain Logs
+Identity and content chains expose their own log views with the same cursor-based pagination:
+- `GET /identities/:did/log?after={cid}&limit=N`
+- `GET /content/:contentId/log?after={cid}&limit=N`
+Same cursor-based pagination parameters as the global log. Per-chain log entries include `{ cid, jwsToken }` — the chain-specific subset of the global log entry shape. Returns operations belonging to that chain in chain order.
+---
+## Identity and Content State
+State endpoints return projected state — the computed result of replaying the chain — without embedding the full operation log.
+### Identity State (`GET /identities/:did`)
+```json
+{
+  "did": "did:dfos:abc123...",
+  "headCID": "bafy...",
+  "state": {
+    "did": "did:dfos:abc123...",
+    "isDeleted": false,
+    "authKeys": [...],
+    "assertKeys": [...],
+    "controllerKeys": [...]
+  }
+}
+```
+### Content State (`GET /content/:contentId`)
+```json
+{
+  "contentId": "abc123...",
+  "genesisCID": "bafy...",
+  "headCID": "bafy...",
+  "state": {
+    "contentId": "abc123...",
+    "genesisCID": "bafy...",
+    "headCID": "bafy...",
+    "isDeleted": false,
+    "currentDocumentCID": "bafy...",
+    "length": 1,
+    "creatorDID": "did:dfos:..."
+  }
+}
+```
+Chain history is available via the per-chain log routes described above.
 ---
@@ -167,10 +396,15 @@ interface RelayStore {
   getCountersignatures(operationCID: string): Promise<string[]>;
   addCountersignature(operationCID: string, jwsToken: string): Promise<void>;
+  appendToLog(entry: LogEntry): Promise<void>;
+  readLog(params: { after?: string; limit: number }): Promise<LogPage>;
 }
 ```
-The package includes `MemoryRelayStore` for development and testing. Production deployments would implement the interface over Postgres, SQLite, S3, or any durable store.
+The `appendToLog` / `readLog` pair supports both the global log and per-chain log queries. The store implementation determines how to scope queries (e.g., by filtering on `chainId`).
+The package includes `MemoryRelayStore` for development and testing. Production deployments would implement the interface over Postgres, SQLite, D1, or any durable store.
 ---
@@ -179,9 +413,15 @@ The package includes `MemoryRelayStore` for development and testing. Production
 ```typescript
 import { createRelay, MemoryRelayStore } from '@metalabel/dfos-web-relay';
-const relay = createRelay({
-  relayDID: 'did:dfos:myrelay00000000000000',
+// JIT mode — generates relay identity + profile artifact at startup
+const relay = await createRelay({
+  store: new MemoryRelayStore(),
+});
+// Or provide a pre-created identity (production)
+const relay = await createRelay({
   store: new MemoryRelayStore(),
+  identity: { did: 'did:dfos:myrelay...', profileArtifactJws: '...' },
 });
 // Mount on any Hono-compatible runtime
@@ -198,8 +438,11 @@ The returned Hono app exposes:
 | `GET`  | `/operations/:cid/countersignatures` | proof   | none                    |
 | `GET`  | `/countersignatures/:cid`            | proof   | none                    |
 | `GET`  | `/identities/:did`                   | proof   | none                    |
+| `GET`  | `/identities/:did/log`               | proof   | none                    |
 | `GET`  | `/content/:contentId`                | proof   | none                    |
+| `GET`  | `/content/:contentId/log`            | proof   | none                    |
 | `GET`  | `/beacons/:did`                      | proof   | none                    |
+| `GET`  | `/log`                               | proof   | none                    |
 | `PUT`  | `/content/:contentId/blob/:opCID`    | content | auth token              |
 | `GET`  | `/content/:contentId/blob[/:ref]`    | content | auth token + credential |
@@ -210,5 +453,5 @@ The returned Hono app exposes:
 - **Peer gossip**: Proactive push of proof plane operations to other relays
 - **Rate limiting / anti-spam**: Operational concern, not protocol concern
 - **Docker/CF reference deployments**: Focus on the core library first
-- **Pagination**: Chain logs are returned in full — fine for v1, needs pagination at scale
 - **Blob size limits**: No enforcement yet — production deployments should add limits at the middleware layer
+- **Artifact `$schema` registry**: Schema names are free-form strings for now — no formal registry or validation beyond structural checks

package/dist/index.d.ts CHANGED Viewed

@@ -1,16 +1,28 @@
-import { Hono } from 'hono';
 import { VerifiedIdentity, VerifiedContentChain, VerifiedBeacon } from '@metalabel/dfos-protocol/chain';
+import { Hono } from 'hono';
+interface RelayIdentity {
+    /** The relay's DID */
+    did: string;
+    /** Profile artifact JWS token (signed by the relay DID) */
+    profileArtifactJws: string;
+}
 interface RelayOptions {
-    /** The relay's DID — used as auth token audience and published in well-known */
-    relayDID: string;
     /** Storage backend */
     store: RelayStore;
+    /** Pre-created relay identity — if omitted, a JIT identity and profile are generated */
+    identity?: RelayIdentity;
+    /** Whether content plane routes are enabled (default: true) */
+    content?: boolean;
 }
 interface StoredIdentityChain {
     did: string;
     /** Ordered JWS tokens from genesis to head */
     log: string[];
+    /** CID of the most recent operation */
+    headCID: string;
+    /** createdAt timestamp of the most recent operation */
+    lastCreatedAt: string;
     state: VerifiedIdentity;
 }
 interface StoredContentChain {
@@ -18,6 +30,8 @@ interface StoredContentChain {
     genesisCID: string;
     /** Ordered JWS tokens from genesis to head */
     log: string[];
+    /** createdAt timestamp of the most recent operation */
+    lastCreatedAt: string;
     state: VerifiedContentChain;
 }
 interface StoredBeacon {
@@ -30,8 +44,8 @@ interface StoredOperation {
     cid: string;
     jwsToken: string;
     /** Which chain type this operation belongs to */
-    chainType: 'identity' | 'content';
-    /** The chain identifier — DID for identity, contentId for content */
+    chainType: 'identity' | 'content' | 'artifact' | 'beacon' | 'countersign';
+    /** The chain identifier — DID for identity/beacon/artifact, contentId for content, targetCID for countersign */
     chainId: string;
 }
 /** Key for blob storage — deduplicates across chains sharing the same document */
@@ -39,6 +53,15 @@ interface BlobKey {
     creatorDID: string;
     documentCID: string;
 }
+/** A single entry in the global append-only operation log */
+interface LogEntry {
+    cid: string;
+    jwsToken: string;
+    kind: OperationKind;
+    chainId: string;
+}
+/** All operation kinds in the protocol */
+type OperationKind = 'identity-op' | 'content-op' | 'beacon' | 'artifact' | 'countersign';
 /**
  * Storage backend for a DFOS web relay
  *
@@ -63,24 +86,45 @@ interface RelayStore {
     putBlob(key: BlobKey, data: Uint8Array): Promise<void>;
     getCountersignatures(operationCID: string): Promise<string[]>;
     addCountersignature(operationCID: string, jwsToken: string): Promise<void>;
+    appendToLog(entry: LogEntry): Promise<void>;
+    readLog(params: {
+        after?: string;
+        limit: number;
+    }): Promise<{
+        entries: LogEntry[];
+        cursor: string | null;
+    }>;
 }
 interface IngestionResult {
     cid: string;
     status: 'accepted' | 'rejected';
     error?: string;
     /** What was ingested */
-    kind?: 'identity-op' | 'content-op' | 'beacon' | 'countersig' | 'beacon-countersig';
+    kind?: OperationKind;
     /** Chain identifier if applicable */
     chainId?: string;
 }
+/**
+ * Generate a relay identity and profile artifact, ingest both into the store
+ *
+ * Creates an Ed25519 keypair, signs an identity genesis operation, derives
+ * the DID, then signs a profile artifact with the relay's name. Both the
+ * identity genesis and profile artifact are ingested into the store so
+ * they are available via the relay's proof plane routes.
+ */
+declare const bootstrapRelayIdentity: (store: RelayStore) => Promise<RelayIdentity>;
 /**
  * Create a DFOS web relay Hono application
  *
  * The returned app is portable — mount it on any Hono-compatible runtime
  * (Node.js, Cloudflare Workers, Deno, Bun, etc.).
+ *
+ * When `identity` is provided, the relay uses the given DID and profile. When
+ * omitted, a JIT identity and profile artifact are generated at startup.
  */
-declare const createRelay: (options: RelayOptions) => Hono;
+declare const createRelay: (options: RelayOptions) => Promise<Hono>;
 /**
  * In-memory relay store — all data lives in Maps, lost on restart
@@ -94,6 +138,7 @@ declare class MemoryRelayStore implements RelayStore {
     private beacons;
     private blobs;
     private countersignatures;
+    private operationLog;
     getOperation(cid: string): Promise<StoredOperation | undefined>;
     putOperation(op: StoredOperation): Promise<void>;
     getIdentityChain(did: string): Promise<StoredIdentityChain | undefined>;
@@ -106,6 +151,14 @@ declare class MemoryRelayStore implements RelayStore {
     putBlob(key: BlobKey, data: Uint8Array): Promise<void>;
     getCountersignatures(operationCID: string): Promise<string[]>;
     addCountersignature(operationCID: string, jwsToken: string): Promise<void>;
+    appendToLog(entry: LogEntry): Promise<void>;
+    readLog(params: {
+        after?: string;
+        limit: number;
+    }): Promise<{
+        entries: LogEntry[];
+        cursor: string | null;
+    }>;
 }
 /**
@@ -140,4 +193,4 @@ declare const createCurrentKeyResolver: (store: RelayStore) => (kid: string) =>
  */
 declare const ingestOperations: (tokens: string[], store: RelayStore) => Promise<IngestionResult[]>;
-export { type BlobKey, type IngestionResult, MemoryRelayStore, type RelayOptions, type RelayStore, type StoredBeacon, type StoredContentChain, type StoredIdentityChain, type StoredOperation, createCurrentKeyResolver, createKeyResolver, createRelay, ingestOperations };
+export { type BlobKey, type IngestionResult, type LogEntry, MemoryRelayStore, type OperationKind, type RelayIdentity, type RelayOptions, type RelayStore, type StoredBeacon, type StoredContentChain, type StoredIdentityChain, type StoredOperation, bootstrapRelayIdentity, createCurrentKeyResolver, createKeyResolver, createRelay, ingestOperations };

package/dist/index.js CHANGED Viewed

@@ -1,21 +1,25 @@
-// src/relay.ts
-import { VC_TYPE_CONTENT_READ, verifyCredential } from "@metalabel/dfos-protocol/credentials";
-import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
-import { Hono } from "hono";
-import { z } from "zod";
-// src/auth.ts
-import { verifyAuthToken } from "@metalabel/dfos-protocol/credentials";
-import { decodeJwsUnsafe as decodeJwsUnsafe2 } from "@metalabel/dfos-protocol/crypto";
+// src/bootstrap.ts
+import {
+  encodeEd25519Multikey,
+  signArtifact,
+  signIdentityOperation
+} from "@metalabel/dfos-protocol/chain";
+import {
+  createNewEd25519Keypair,
+  generateId,
+  signPayloadEd25519
+} from "@metalabel/dfos-protocol/crypto";
 // src/ingest.ts
 import {
   decodeMultikey,
+  verifyArtifact,
   verifyBeacon,
-  verifyBeaconCountersignature,
   verifyContentChain,
+  verifyContentExtensionFromTrustedState,
   verifyCountersignature,
-  verifyIdentityChain
+  verifyIdentityChain,
+  verifyIdentityExtensionFromTrustedState
 } from "@metalabel/dfos-protocol/chain";
 import { dagCborCanonicalEncode, decodeJwsUnsafe } from "@metalabel/dfos-protocol/crypto";
 var classify = (jwsToken) => {
@@ -44,30 +48,10 @@ var classify = (jwsToken) => {
   }
   if (typ === "did:dfos:content-op") {
     const opDID = typeof payload["did"] === "string" ? payload["did"] : null;
-    if (opDID && kidDID && kidDID !== opDID) {
-      return {
-        ...base,
-        kind: "countersig",
-        referencedDID: opDID,
-        signerDID: kidDID,
-        priority: 3,
-        previousCID: null
-      };
-    }
     return { ...base, kind: "content-op", referencedDID: null, signerDID: opDID, priority: 2 };
   }
   if (typ === "did:dfos:beacon") {
     const beaconDID = typeof payload["did"] === "string" ? payload["did"] : null;
-    if (beaconDID && kidDID && kidDID !== beaconDID) {
-      return {
-        ...base,
-        kind: "beacon-countersig",
-        referencedDID: beaconDID,
-        signerDID: kidDID,
-        priority: 3,
-        previousCID: null
-      };
-    }
     return {
       ...base,
       kind: "beacon",
@@ -77,6 +61,30 @@ var classify = (jwsToken) => {
       previousCID: null
     };
   }
+  if (typ === "did:dfos:countersign") {
+    const witnessDID = typeof payload["did"] === "string" ? payload["did"] : null;
+    return {
+      ...base,
+      kind: "countersign",
+      referencedDID: witnessDID,
+      signerDID: null,
+      priority: 3,
+      // processed last — target must already be ingested
+      previousCID: null
+    };
+  }
+  if (typ === "did:dfos:artifact") {
+    const artifactDID = typeof payload["did"] === "string" ? payload["did"] : null;
+    return {
+      ...base,
+      kind: "artifact",
+      referencedDID: artifactDID,
+      signerDID: null,
+      priority: 1,
+      // same as beacons — needs identity keys resolved first
+      previousCID: null
+    };
+  }
   return unknown;
 };
 var createKeyResolver = (store) => async (kid) => {
@@ -135,15 +143,32 @@ var ingestIdentityOp = async (jwsToken, store) => {
   const encoded = await dagCborCanonicalEncode(payload);
   const cid = encoded.cid.toString();
   const existing = await store.getOperation(cid);
-  if (existing) return { cid, status: "accepted", kind: "identity-op", chainId: existing.chainId };
+  if (existing) {
+    if (existing.jwsToken !== jwsToken) {
+      return {
+        cid,
+        status: "rejected",
+        error: "operation already exists with a different signature"
+      };
+    }
+    return { cid, status: "accepted", kind: "identity-op", chainId: existing.chainId };
+  }
   const opType = payload["type"];
   const isGenesis = opType === "create";
   if (isGenesis) {
-    const identity2 = await verifyIdentityChain({ didPrefix: "did:dfos", log: [jwsToken] });
-    const chain2 = { did: identity2.did, log: [jwsToken], state: identity2 };
+    const identity = await verifyIdentityChain({ didPrefix: "did:dfos", log: [jwsToken] });
+    const createdAt = payload["createdAt"];
+    const chain2 = {
+      did: identity.did,
+      log: [jwsToken],
+      headCID: cid,
+      lastCreatedAt: createdAt,
+      state: identity
+    };
     await store.putIdentityChain(chain2);
-    await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: identity2.did });
-    return { cid, status: "accepted", kind: "identity-op", chainId: identity2.did };
+    await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: identity.did });
+    await store.appendToLog({ cid, jwsToken, kind: "identity-op", chainId: identity.did });
+    return { cid, status: "accepted", kind: "identity-op", chainId: identity.did };
   }
   const kid = decoded.header.kid;
   const hashIdx = kid.indexOf("#");
@@ -151,11 +176,22 @@ var ingestIdentityOp = async (jwsToken, store) => {
   const did = kid.substring(0, hashIdx);
   const chain = await store.getIdentityChain(did);
   if (!chain) return { cid, status: "rejected", error: `unknown identity: ${did}` };
-  const newLog = [...chain.log, jwsToken];
-  const identity = await verifyIdentityChain({ didPrefix: "did:dfos", log: newLog });
-  const updated = { did: identity.did, log: newLog, state: identity };
+  const extResult = await verifyIdentityExtensionFromTrustedState({
+    currentState: chain.state,
+    headCID: chain.headCID,
+    lastCreatedAt: chain.lastCreatedAt,
+    newOp: jwsToken
+  });
+  const updated = {
+    did: chain.did,
+    log: [...chain.log, jwsToken],
+    headCID: extResult.operationCID,
+    lastCreatedAt: extResult.createdAt,
+    state: extResult.state
+  };
   await store.putIdentityChain(updated);
   await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: did });
+  await store.appendToLog({ cid, jwsToken, kind: "identity-op", chainId: did });
   return { cid, status: "accepted", kind: "identity-op", chainId: did };
 };
 var ingestContentOp = async (jwsToken, store) => {
@@ -165,25 +201,44 @@ var ingestContentOp = async (jwsToken, store) => {
   const encoded = await dagCborCanonicalEncode(payload);
   const cid = encoded.cid.toString();
   const existing = await store.getOperation(cid);
-  if (existing) return { cid, status: "accepted", kind: "content-op", chainId: existing.chainId };
+  if (existing) {
+    if (existing.jwsToken !== jwsToken) {
+      return {
+        cid,
+        status: "rejected",
+        error: "operation already exists with a different signature"
+      };
+    }
+    return { cid, status: "accepted", kind: "content-op", chainId: existing.chainId };
+  }
+  const signerDID = payload["did"];
+  if (typeof signerDID === "string") {
+    const signerIdentity = await store.getIdentityChain(signerDID);
+    if (signerIdentity?.state.isDeleted) {
+      return { cid, status: "rejected", error: "signer identity is deleted" };
+    }
+  }
   const resolveKey = createKeyResolver(store);
   const opType = payload["type"];
   const isGenesis = opType === "create";
   if (isGenesis) {
-    const content2 = await verifyContentChain({
+    const content = await verifyContentChain({
       log: [jwsToken],
       resolveKey,
       enforceAuthorization: true
     });
+    const createdAt = payload["createdAt"];
     const chain2 = {
-      contentId: content2.contentId,
-      genesisCID: content2.genesisCID,
+      contentId: content.contentId,
+      genesisCID: content.genesisCID,
       log: [jwsToken],
-      state: content2
+      lastCreatedAt: createdAt,
+      state: content
     };
     await store.putContentChain(chain2);
-    await store.putOperation({ cid, jwsToken, chainType: "content", chainId: content2.contentId });
-    return { cid, status: "accepted", kind: "content-op", chainId: content2.contentId };
+    await store.putOperation({ cid, jwsToken, chainType: "content", chainId: content.contentId });
+    await store.appendToLog({ cid, jwsToken, kind: "content-op", chainId: content.contentId });
+    return { cid, status: "accepted", kind: "content-op", chainId: content.contentId };
   }
   const previousCID = payload["previousOperationCID"];
   if (typeof previousCID !== "string") {
@@ -198,24 +253,31 @@ var ingestContentOp = async (jwsToken, store) => {
   const chain = await store.getContentChain(prevOp.chainId);
   if (!chain)
     return { cid, status: "rejected", error: `content chain not found: ${prevOp.chainId}` };
+  const creatorIdentity = await store.getIdentityChain(chain.state.creatorDID);
+  if (creatorIdentity?.state.isDeleted) {
+    return { cid, status: "rejected", error: "content creator identity is deleted" };
+  }
   if (chain.state.headCID !== previousCID) {
     return { cid, status: "rejected", error: "chain has diverged (first-seen-wins)" };
   }
-  const newLog = [...chain.log, jwsToken];
-  const content = await verifyContentChain({
-    log: newLog,
+  const extResult = await verifyContentExtensionFromTrustedState({
+    currentState: chain.state,
+    lastCreatedAt: chain.lastCreatedAt,
+    newOp: jwsToken,
     resolveKey,
     enforceAuthorization: true
   });
   const updated = {
-    contentId: content.contentId,
-    genesisCID: content.genesisCID,
-    log: newLog,
-    state: content
+    contentId: chain.contentId,
+    genesisCID: chain.genesisCID,
+    log: [...chain.log, jwsToken],
+    lastCreatedAt: extResult.createdAt,
+    state: extResult.state
   };
   await store.putContentChain(updated);
-  await store.putOperation({ cid, jwsToken, chainType: "content", chainId: content.contentId });
-  return { cid, status: "accepted", kind: "content-op", chainId: content.contentId };
+  await store.putOperation({ cid, jwsToken, chainType: "content", chainId: chain.contentId });
+  await store.appendToLog({ cid, jwsToken, kind: "content-op", chainId: chain.contentId });
+  return { cid, status: "accepted", kind: "content-op", chainId: chain.contentId };
 };
 var ingestBeacon = async (jwsToken, store) => {
   const resolveKey = createKeyResolver(store);
@@ -228,6 +290,10 @@ var ingestBeacon = async (jwsToken, store) => {
   }
   const did = verified.payload.did;
   const cid = verified.beaconCID;
+  const identity = await store.getIdentityChain(did);
+  if (identity?.state.isDeleted) {
+    return { cid, status: "rejected", error: "identity is deleted" };
+  }
   const existing = await store.getBeacon(did);
   if (existing) {
     const existingTime = new Date(existing.state.payload.createdAt).getTime();
@@ -237,72 +303,96 @@ var ingestBeacon = async (jwsToken, store) => {
     }
   }
   await store.putBeacon({ did, jwsToken, beaconCID: cid, state: verified });
+  await store.putOperation({ cid, jwsToken, chainType: "beacon", chainId: did });
+  await store.appendToLog({ cid, jwsToken, kind: "beacon", chainId: did });
   return { cid, status: "accepted", kind: "beacon", chainId: did };
 };
-var ingestCountersig = async (jwsToken, store) => {
-  const decoded = decodeJwsUnsafe(jwsToken);
-  if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
-  const payload = decoded.payload;
-  const encoded = await dagCborCanonicalEncode(payload);
-  const operationCID = encoded.cid.toString();
-  const existingOp = await store.getOperation(operationCID);
-  if (!existingOp) {
-    return { cid: operationCID, status: "rejected", error: `unknown operation: ${operationCID}` };
-  }
+var ingestCountersign = async (jwsToken, store) => {
   const resolveKey = createKeyResolver(store);
+  let verified;
   try {
-    await verifyCountersignature({ jwsToken, expectedCID: operationCID, resolveKey });
+    verified = await verifyCountersignature({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: operationCID, status: "rejected", error: message };
-  }
-  await store.addCountersignature(operationCID, jwsToken);
-  return {
-    cid: operationCID,
-    status: "accepted",
-    kind: "countersig",
-    chainId: existingOp.chainId
-  };
-};
-var ingestBeaconCountersig = async (jwsToken, store) => {
-  const decoded = decodeJwsUnsafe(jwsToken);
-  if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
-  const payload = decoded.payload;
-  const encoded = await dagCborCanonicalEncode(payload);
-  const beaconCID = encoded.cid.toString();
-  const beaconDID = typeof payload["did"] === "string" ? payload["did"] : null;
-  if (!beaconDID) {
-    return { cid: beaconCID, status: "rejected", error: "missing beacon DID" };
+    return { cid: "", status: "rejected", error: message };
   }
-  const existingBeacon = await store.getBeacon(beaconDID);
-  if (!existingBeacon) {
-    return { cid: beaconCID, status: "rejected", error: `unknown beacon for DID: ${beaconDID}` };
+  const cid = verified.countersignCID;
+  const { witnessDID, targetCID } = verified;
+  const existing = await store.getOperation(cid);
+  if (existing) {
+    if (existing.jwsToken !== jwsToken) {
+      return {
+        cid,
+        status: "rejected",
+        error: "countersign already exists with a different signature"
+      };
+    }
+    return { cid, status: "accepted", kind: "countersign", chainId: targetCID };
   }
-  if (existingBeacon.beaconCID !== beaconCID) {
-    return {
-      cid: beaconCID,
-      status: "rejected",
-      error: "beacon countersignature CID does not match current beacon"
-    };
+  const targetOp = await store.getOperation(targetCID);
+  if (!targetOp) {
+    return { cid, status: "rejected", error: `unknown target operation: ${targetCID}` };
+  }
+  let targetAuthorDID = null;
+  if (targetOp.chainType === "identity") {
+    targetAuthorDID = targetOp.chainId;
+  } else {
+    const targetDecoded = decodeJwsUnsafe(targetOp.jwsToken);
+    if (targetDecoded) {
+      const targetPayload = targetDecoded.payload;
+      targetAuthorDID = typeof targetPayload["did"] === "string" ? targetPayload["did"] : null;
+    }
+  }
+  if (targetAuthorDID && witnessDID === targetAuthorDID) {
+    return { cid, status: "rejected", error: "witness DID must differ from target author DID" };
+  }
+  const witnessIdentity = await store.getIdentityChain(witnessDID);
+  if (witnessIdentity?.state.isDeleted) {
+    return { cid, status: "rejected", error: "witness identity is deleted" };
+  }
+  const existingCountersigns = await store.getCountersignatures(targetCID);
+  for (const csJws of existingCountersigns) {
+    const csDecoded = decodeJwsUnsafe(csJws);
+    if (!csDecoded) continue;
+    const csPayload = csDecoded.payload;
+    if (csPayload["did"] === witnessDID) {
+      return { cid, status: "accepted", kind: "countersign", chainId: targetCID };
+    }
   }
+  await store.putOperation({ cid, jwsToken, chainType: "countersign", chainId: targetCID });
+  await store.addCountersignature(targetCID, jwsToken);
+  await store.appendToLog({ cid, jwsToken, kind: "countersign", chainId: targetCID });
+  return { cid, status: "accepted", kind: "countersign", chainId: targetCID };
+};
+var ingestArtifact = async (jwsToken, store) => {
   const resolveKey = createKeyResolver(store);
+  let verified;
   try {
-    await verifyBeaconCountersignature({
-      jwsToken,
-      expectedCID: beaconCID,
-      resolveKey
-    });
+    verified = await verifyArtifact({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: beaconCID, status: "rejected", error: message };
-  }
-  await store.addCountersignature(beaconCID, jwsToken);
-  return {
-    cid: beaconCID,
-    status: "accepted",
-    kind: "beacon-countersig",
-    chainId: beaconDID
-  };
+    return { cid: "", status: "rejected", error: message };
+  }
+  const cid = verified.artifactCID;
+  const did = verified.payload.did;
+  const existing = await store.getOperation(cid);
+  if (existing) {
+    if (existing.jwsToken !== jwsToken) {
+      return {
+        cid,
+        status: "rejected",
+        error: "artifact already exists with a different signature"
+      };
+    }
+    return { cid, status: "accepted", kind: "artifact", chainId: did };
+  }
+  const identity = await store.getIdentityChain(did);
+  if (identity?.state.isDeleted) {
+    return { cid, status: "rejected", error: "identity is deleted" };
+  }
+  await store.putOperation({ cid, jwsToken, chainType: "artifact", chainId: did });
+  await store.appendToLog({ cid, jwsToken, kind: "artifact", chainId: did });
+  return { cid, status: "accepted", kind: "artifact", chainId: did };
 };
 var dependencySort = (ops) => {
   const buckets = /* @__PURE__ */ new Map();
@@ -378,11 +468,11 @@ var ingestOperations = async (tokens, store) => {
         case "beacon":
           result = await ingestBeacon(op.jwsToken, store);
           break;
-        case "countersig":
-          result = await ingestCountersig(op.jwsToken, store);
+        case "countersign":
+          result = await ingestCountersign(op.jwsToken, store);
           break;
-        case "beacon-countersig":
-          result = await ingestBeaconCountersig(op.jwsToken, store);
+        case "artifact":
+          result = await ingestArtifact(op.jwsToken, store);
           break;
         default:
           result = { cid: "", status: "rejected", error: "unrecognized operation type" };
@@ -399,7 +489,65 @@ var ingestOperations = async (tokens, store) => {
   return indexedResults.sort((a, b) => a.index - b.index).map((r) => r.result);
 };
+// src/bootstrap.ts
+var bootstrapRelayIdentity = async (store) => {
+  const keypair = createNewEd25519Keypair();
+  const keyId = generateId("key");
+  const multibase = encodeEd25519Multikey(keypair.publicKey);
+  const signer = async (msg) => signPayloadEd25519(msg, keypair.privateKey);
+  const key = { id: keyId, type: "Multikey", publicKeyMultibase: multibase };
+  const identityOp = {
+    version: 1,
+    type: "create",
+    authKeys: [key],
+    assertKeys: [key],
+    controllerKeys: [key],
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const { jwsToken: identityJws } = await signIdentityOperation({
+    operation: identityOp,
+    signer,
+    keyId
+  });
+  const [identityResult] = await ingestOperations([identityJws], store);
+  if (!identityResult || identityResult.status !== "accepted" || !identityResult.chainId) {
+    throw new Error(`failed to bootstrap relay identity: ${identityResult?.error ?? "unknown"}`);
+  }
+  const did = identityResult.chainId;
+  const profilePayload = {
+    version: 1,
+    type: "artifact",
+    did,
+    content: {
+      $schema: "https://schemas.dfos.com/profile/v1",
+      name: "DFOS Relay"
+    },
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const kid = `${did}#${keyId}`;
+  const { jwsToken: profileArtifactJws } = await signArtifact({
+    payload: profilePayload,
+    signer,
+    kid
+  });
+  const [artifactResult] = await ingestOperations([profileArtifactJws], store);
+  if (!artifactResult || artifactResult.status !== "accepted") {
+    throw new Error(
+      `failed to ingest relay profile artifact: ${artifactResult?.error ?? "unknown"}`
+    );
+  }
+  return { did, profileArtifactJws };
+};
+// src/relay.ts
+import { VC_TYPE_CONTENT_READ, verifyCredential } from "@metalabel/dfos-protocol/credentials";
+import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
+import { Hono } from "hono";
+import { z } from "zod";
 // src/auth.ts
+import { verifyAuthToken } from "@metalabel/dfos-protocol/credentials";
+import { decodeJwsUnsafe as decodeJwsUnsafe2 } from "@metalabel/dfos-protocol/crypto";
 var authenticateRequest = async (authHeader, relayDID, store) => {
   if (!authHeader) return null;
   if (!authHeader.startsWith("Bearer ")) return null;
@@ -427,14 +575,21 @@ var authenticateRequest = async (authHeader, relayDID, store) => {
 var IngestBody = z.object({
   operations: z.array(z.string()).min(1).max(100)
 });
-var createRelay = (options) => {
-  const { relayDID, store } = options;
+var createRelay = async (options) => {
+  const { store } = options;
+  const contentEnabled = options.content !== false;
+  const identity = options.identity ?? await bootstrapRelayIdentity(store);
+  const relayDID = identity.did;
+  const profileArtifactJws = identity.profileArtifactJws;
   const app = new Hono();
   app.get("/.well-known/dfos-relay", (c) => {
     return c.json({
       did: relayDID,
       protocol: "dfos-web-relay",
-      version: "0.1.0"
+      version: "0.1.0",
+      proof: true,
+      content: contentEnabled,
+      profile: profileArtifactJws
     });
   });
   app.post("/operations", async (c) => {
@@ -462,16 +617,54 @@ var createRelay = (options) => {
       chainId: op.chainId
     });
   });
+  app.get("/identities/:did/log", async (c) => {
+    const did = c.req.param("did");
+    const chain = await store.getIdentityChain(did);
+    if (!chain) return c.json({ error: "not found" }, 404);
+    const after = c.req.query("after");
+    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const entries = chain.log.map((jws) => {
+      const decoded = decodeJwsUnsafe3(jws);
+      return { cid: decoded?.header.cid || "", jwsToken: jws };
+    });
+    let startIdx = 0;
+    if (after) {
+      const idx = entries.findIndex((e) => e.cid === after);
+      startIdx = idx >= 0 ? idx + 1 : entries.length;
+    }
+    const page = entries.slice(startIdx, startIdx + limit);
+    const cursor = page.length === limit ? page[page.length - 1].cid : null;
+    return c.json({ entries: page, cursor });
+  });
   app.get("/identities/:did{.+}", async (c) => {
     const did = c.req.param("did");
     const chain = await store.getIdentityChain(did);
     if (!chain) return c.json({ error: "not found" }, 404);
     return c.json({
       did: chain.did,
-      log: chain.log,
+      headCID: chain.headCID,
       state: chain.state
     });
   });
+  app.get("/content/:contentId/log", async (c) => {
+    const contentId = c.req.param("contentId");
+    const chain = await store.getContentChain(contentId);
+    if (!chain) return c.json({ error: "not found" }, 404);
+    const after = c.req.query("after");
+    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const entries = chain.log.map((jws) => {
+      const decoded = decodeJwsUnsafe3(jws);
+      return { cid: decoded?.header.cid || "", jwsToken: jws };
+    });
+    let startIdx = 0;
+    if (after) {
+      const idx = entries.findIndex((e) => e.cid === after);
+      startIdx = idx >= 0 ? idx + 1 : entries.length;
+    }
+    const page = entries.slice(startIdx, startIdx + limit);
+    const cursor = page.length === limit ? page[page.length - 1].cid : null;
+    return c.json({ entries: page, cursor });
+  });
   app.get("/content/:contentId", async (c) => {
     const contentId = c.req.param("contentId");
     const chain = await store.getContentChain(contentId);
@@ -479,7 +672,7 @@ var createRelay = (options) => {
     return c.json({
       contentId: chain.contentId,
       genesisCID: chain.genesisCID,
-      log: chain.log,
+      headCID: chain.state.headCID,
       state: chain.state
     });
   });
@@ -512,7 +705,14 @@ var createRelay = (options) => {
       payload: beacon.state.payload
     });
   });
+  app.get("/log", async (c) => {
+    const afterParam = c.req.query("after");
+    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const result = await store.readLog(afterParam ? { after: afterParam, limit } : { limit });
+    return c.json(result);
+  });
   app.put("/content/:contentId/blob/:operationCID", async (c) => {
+    if (!contentEnabled) return c.json({ error: "content plane not available" }, 501);
     const contentId = c.req.param("contentId");
     const operationCID = c.req.param("operationCID");
     const auth = await authenticateRequest(c.req.header("authorization"), relayDID, store);
@@ -550,6 +750,7 @@ var createRelay = (options) => {
     return c.json({ status: "stored", contentId, documentCID, operationCID });
   });
   app.get("/content/:contentId/blob", async (c) => {
+    if (!contentEnabled) return c.json({ error: "content plane not available" }, 501);
     return await readBlob({
       contentId: c.req.param("contentId"),
       ref: "head",
@@ -560,6 +761,7 @@ var createRelay = (options) => {
     });
   });
   app.get("/content/:contentId/blob/:ref", async (c) => {
+    if (!contentEnabled) return c.json({ error: "content plane not available" }, 501);
     return await readBlob({
       contentId: c.req.param("contentId"),
       ref: c.req.param("ref"),
@@ -627,6 +829,10 @@ var verifyReadCredential = async (auth, chain, contentId, credHeader, store) =>
     if (vcIssuerDID !== chain.state.creatorDID) {
       throw new Error("credential must be issued by the chain creator");
     }
+    const issuerIdentity = await store.getIdentityChain(vcIssuerDID);
+    if (issuerIdentity?.state.isDeleted) {
+      throw new Error("credential issuer identity is deleted");
+    }
     const creatorKey = await resolveKey(vcHeader.kid);
     const credential = verifyCredential({
       token: credHeader,
@@ -657,6 +863,7 @@ var MemoryRelayStore = class {
   beacons = /* @__PURE__ */ new Map();
   blobs = /* @__PURE__ */ new Map();
   countersignatures = /* @__PURE__ */ new Map();
+  operationLog = [];
   async getOperation(cid) {
     return this.operations.get(cid);
   }
@@ -707,9 +914,24 @@ var MemoryRelayStore = class {
     existing.push(jwsToken);
     this.countersignatures.set(operationCID, existing);
   }
+  async appendToLog(entry) {
+    this.operationLog.push(entry);
+  }
+  async readLog(params) {
+    let startIdx = 0;
+    if (params.after) {
+      const idx = this.operationLog.findIndex((e) => e.cid === params.after);
+      if (idx >= 0) startIdx = idx + 1;
+      else startIdx = this.operationLog.length;
+    }
+    const entries = this.operationLog.slice(startIdx, startIdx + params.limit);
+    const cursor = entries.length === params.limit ? entries[entries.length - 1].cid : null;
+    return { entries, cursor };
+  }
 };
 export {
   MemoryRelayStore,
+  bootstrapRelayIdentity,
   createCurrentKeyResolver,
   createKeyResolver,
   createRelay,

package/dist/serve.d.ts CHANGED Viewed

@@ -12,7 +12,7 @@ interface ServeOptions {
  * import { createRelay, MemoryRelayStore } from '@metalabel/dfos-web-relay';
  * import { serve } from '@metalabel/dfos-web-relay/node';
  *
- * const relay = createRelay({ relayDID: 'did:dfos:myrelay', store: new MemoryRelayStore() });
+ * const relay = await createRelay({ store: new MemoryRelayStore() });
  * serve(relay, { port: 4444 });
  * ```
  */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@metalabel/dfos-web-relay",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "type": "module",
   "description": "DFOS Web Relay — verifying HTTP relay for identity chains, content chains, beacons, and content blobs",
   "license": "MIT",
@@ -42,7 +42,7 @@
     "README.md"
   ],
   "dependencies": {
-    "hono": "^4.12.5",
+    "hono": "^4.12.8",
     "zod": "^4.3.6"
   },
   "peerDependencies": {
@@ -51,13 +51,15 @@
   "devDependencies": {
     "@types/node": "^24.10.4",
     "tsup": "^8.5.1",
-    "vitest": "^4.0.18",
-    "@metalabel/dfos-protocol": "0.4.0"
+    "tsx": "^4.20.3",
+    "vitest": "^4.1.0",
+    "@metalabel/dfos-protocol": "0.5.0"
   },
   "scripts": {
     "build": "tsup",
     "clean": "rm -rf dist",
     "typecheck": "tsc --noEmit",
-    "test": "vitest run"
+    "test": "vitest run",
+    "test:conformance": "./tests/run-conformance.sh"
   }
 }